© 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile...
-
Upload
skye-yarwood -
Category
Documents
-
view
217 -
download
3
Transcript of © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile...
![Page 1: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/1.jpg)
© 2012 SecureAuth. All rights reserved.
2-Factor Authentication and Single Sign-Onin a Mobile World
Thursday, December 5, 2013
www.secureauth.com
![Page 2: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/2.jpg)
2FA & SSO in a Mobile World - Agenda
• Challenges of Mobile Technology on the Enterprise
• The Reality of this Challenge• Security Implications• Mobile Architecture• 2-Factor Authentication• Mobile Fingerprinting• Single Sign-on• Self-Service Password Reset• One touch Revocation• Conclusions
© 2012 SecureAuth. All rights reserved. 2
![Page 3: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/3.jpg)
Mobile Challenges
• Which Mobile Device Management?• How do you drive new services?• How do you manage the ever growing
complexity?• What to do when the number of devices goes up
exponentially?• Are you faced with departments bulk buying
devices without an IT process?• How do you manage devices that suddenly
appear on your network?
© 2012 SecureAuth. All rights reserved. 3
![Page 4: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/4.jpg)
The Reality
• The migration from desktop to mobile has already begun
• The migration will only gain speed as mobile devices become more capable
• Business units want to move quickly• Creates a piece meal solution
-Cloud based-Blackberry-Multiple MDMs
• Reactive environment managing devices suddenly appearing
• Speed to market is much greater• Need to help employees strategically contribute
to bottom line
© 2012 SecureAuth. All rights reserved. 4
![Page 5: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/5.jpg)
5
WHY DOES AN ENTERPRISE NEED TO BECOME AN IDENTITY
PROVIDER?
1X ID
DEVICE
PASSWORD
FEW APPLICATIONS
2005ENTERPRISE USERS:
2013ENTERPRISE USERS:
nXIDS
DEVICES
PASSWORDS
MANY APPLICATIONS
VS.
BYOD
© 2013 SecureAuth. All rights reserved.
![Page 6: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/6.jpg)
Security Implications in Mobile
• How do you safely allow devices not owned by corporate onto the network without adding wrappers?
• How do you separating personal and corporate data?
• Companies replacing MDM every 2-3 years
Playing vanilla is reactive:
• Long term cost unpredictable
• Stuck using development tools
native to MDM
• User satisfaction is varied
© 2012 SecureAuth. All rights reserved. 6
![Page 7: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/7.jpg)
Mobile Architecture
Best Practices• All mobile device should connect to and SSID off the corporate network• The User/Device should be authenticated • Only application level connectivity should be allowed
© 2012 SecureAuth. All rights reserved. 7
![Page 8: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/8.jpg)
© 2012 SecureAuth. All rights reserved. 8
USING IDP TO MANAGE MOBILE
Definition:
• A system that creates, maintains, and manages identity information.
• Provides principal authentication to other service providers (applications) within a federation or distributed network.
• The IdP sends an attribute assertion containing trusted information about the user to the Service Provider (SP).
Source: MIT Knowledge Base
An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider i.e.
applications
1. User directed to IdP2. IdP authenticates user3. User redirected to SP with token
Scope of Trust
1
2
3
EnterpriseIdentity Provider
(IdP)
ServiceProvide
r (SP)
User
![Page 9: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/9.jpg)
2-Factor Authentication
9
• X.509 v3 Certificates• SMS OTP• Telephony OTP• E-mail OTP• Help Desk• Prox Cards
• NFC• Yubikey USB Keys• CAC/PIV Cards• Kerberos / IWA• Static PIN• Custom
X.509K
![Page 10: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/10.jpg)
Accept AuthorizationAuthentication Accounting Assert
This
is w
here
the
inte
grato
rs/c
onsu
ltants
put
thei
r hac
ks in
pla
ce
THE AUTHENTICATION FUNNEL
10 © 2013 SecureAuth. All rights reserved.
![Page 11: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/11.jpg)
Mobile Device Fingerprinting
• Pulls unique device characteristics such as:• Headers, Fonts, Time Zones,
etc.
• Can set “trust period” of device
• From hours to years
• Can revoke with “1-touch”• From help desk console• Select which device to
revoke
![Page 12: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/12.jpg)
IdP for Mobile
12
SecureAuth Delivers:
1. Multi-Factor Authentication
2. IdP (SSO to cloud, web, gateways, mobile)
3. IdM (Identity Management)
Single SSO/2F Platform for Web, Network, Cloud and Mobile Resources
IdP
![Page 13: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/13.jpg)
© 2012 SecureAuth. All rights reserved.
IdP - The (4) Resources
4 Key IdP integrations
1.Web
2.VPN/Gateways
3.SaaS/Cloud
4.Mobile
(1)
(2)
(3)
(4)
![Page 14: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/14.jpg)
© 2012 SecureAuth. All rights reserved. 14
1. IdP – SSO (Web)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
K
PKBAEnterprise Web Applications
2-Factor
![Page 15: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/15.jpg)
© 2012 SecureAuth. All rights reserved. 15
2. IdP – SSO (VPN/Gateway)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
PKBA
Gateway / VPNs2-Factor
![Page 16: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/16.jpg)
© 2012 SecureAuth. All rights reserved. 16
3. IdP – SSO (Cloud/SaaS)
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
Assert identity 2F/SSO
PKBA
SaaS Apps
K
2-Factor
![Page 17: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/17.jpg)
2F/SSO for mobile provides• 2-Factor Auth• Directory-
based Auth• SSO to other
apps• No thick client
Assert identity 2F/SSO
1. Web
2. Gateway / VPN
3. SaaS / Cloud
4. Mobile Apps
4. IdP – Native Mobile Apps
![Page 18: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/18.jpg)
Configurable Authentication: 20 methods
SecureAuth IdP
1. SMS OTP2. Telephony OTP3. Email TOP4. Static PIN5. KBA/KBQ6. Yubikey (USB)7. X.509 Native8. X.509 Java9. NFC Prox Card10. CAC/PIV Card11. Mobile OATH Token (TOTP)12. Browser OATH Token13. Windows
Desktop OATH Token
14.3rd Party OATH
Tokens15.PUSH Notification16 Help Desk17.Social IDs (Google, Facebook, Twitter, LinkedIN)18.Federated
IDs (SAML, WS-Fed, OpenId)19. Device Fingerprinting20. Password
![Page 19: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/19.jpg)
Conclusion – Mobile Strategy
1. There are alternatives to MDM2. MDM solutions have a 2-3 year life cycle3. MDM may limit your ability to service users4. Keep Mobile devices off corporate networks. WiFi SSID
should be separate from Corporate WAN/LAN5. Take an application centric approach to mobile6. 2-factor/Multifactor Authenticate the User AND the
Device7. Leverage native mobile applications and web
applications8. Allow single sign-on to native, web, and SaaS
applications9. Enable users to strategically contribute to the bottom
line10.Mobile strategies should be enabling
19
![Page 20: © 2012 SecureAuth. All rights reserved. 2-Factor Authentication and Single Sign-On in a Mobile World Thursday, December 5, 2013 .](https://reader038.fdocuments.us/reader038/viewer/2022110304/5519dc215503468b0c8b4b89/html5/thumbnails/20.jpg)
© 2012 SecureAuth. All rights reserved.
Thank you!
Who Title E-mail Phone
Sales Sales [email protected] +1.949.777.6959
Joe Revels
Sales Director, Northwest and Asia Pacific
[email protected] +1.415.302.3002
SecureAuth Contacts
www.secureauth.com